NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

ONTAP Discussions

Audit logs

vairavaniyyappan
4,596 Views

Hi Team,


I am an Security Analyst and i was assigned to a Storage Project[Netapp] for which i need some information in regard with the logging..,


One more query is the log format same as filer O/P in data ontap.



Log Format for Messages
log format:
<PRI> <TIME> ' ' <MESG> '[' <MDATA> ' ' <SIG> ' ']
<DAY> Event Day
<DATE> Event Date
<TIME>  Event Time
<[EVENT:> Event Name which is Event ID
<:Severity]> Severity is categories like emerg, alert, crit, err, warning, notice, info, debug
<MSG> Details About Message
 
Log Format of adtlog.evt
log format:
DATE | TIME | Event ID | Operation Outcome | Number of seconds of duplicated events | Filer Name | Number of duplicate events detected | Protocol used | User | Object | Access Code 

Sample Log:
  20060801|104748|560|Success|0|DATA|0|CIFS|petemo|DATA|-|\vol\vol0\etc|Read Attributes|

<Date>  Date (20060801)
<Time>  Time (104742)
<Event ID> Event ID (540,538,560) Support Windows Event ID’s
<Operation Outcome>  Operation Details (Success or Failure)
<Number of seconds of duplicated events> Number
<Filer Name> Filer Name (Data)
<Number of duplicate events detected> Number
<Protocol used>  Protocol Used (Unknown, CIFS, NFS,HTTP)
<User>  User Name (administrator, petemo)
<Object>  Object Details e.g.(\vol\vol0\etc\lclgroups.cfg)
<Access Code>  (Read:Read Attributes)

Regards,

Iyyappan.

1 REPLY 1

TNQNETAPPADMIN
4,596 Views

https://kb.netapp.com/support/index?page=content&id=1011243


Please make sure that the auditing is enabled in the windows. I have copy pasted the section below for your convenience.

===========================================================
To setup additional items that will be audited, you will need to configure specific audit rules for each share or qtree:

  1.     In Computer Manager, go to the qtree or folder that you wish to audit.
  2.     Select the Security tab , then the Advanced tab, and select Auditing.
  3.     Specify the groups and events to be audited.

============================================================

Public